Ransomware attacks against utilities organizations have increased by 42% over the past year, with 81% of all attacks against the utilities sector involving spearphishing, a report by ReliaQuest published Tuesday revealed.
In a study conducted between November 2023 and October 2024, ReliaQuest researchers analyzed customer alerts from its GreyMatter security operations platform along with dark web activity, finding that utilities like water and energy were disproportionately affected by spearphishing and ransomware compared with other industries, likely due to their unique position in critical infrastructure.
On average across all sectors, spearphishing only accounted for 23% of alerts during the reporting period, compared with 81% for utilities. Close to a third (31.5%) of utilities alerts involved spearphishing links, while 27.9% involved internal spearphishing and 21.5% involved a spearphishing attachment.
ReliaQuest noted that the prevalence of internal spearphishing was likely due to the large number of contractors and third parties that utilities organizations work closely with.
“Employees in the sector frequently receive emails from numerous different senders, which may lead to reduced vigilance when interacting with unfamiliar messages, particularly those that appear to come from trusted sources,” the report stated. “This makes it easier for phishing emails to slip through unnoticed.”
Nearly 10% of utilities alerts involved the DNS application layer protocol, a higher proportion than most other industries, according to ReliaQuest. The researchers noted this could be due to the high volume of internet-of-things (IoT) devices used in the sector, leading to a higher amount and greater complexity of DNS traffic.
Overall, a combination of the need to minimize downtime and the use of legacy operational technology (OT) systems in the utilities sector magnifies the risk of unpatched vulnerabilities being exploited and security measures being sacrificed for maximum uptime.
Play ransomware accelerates targeting of utilities organizations
A total of 75 utilities organizations were posted to ransomware leak sites during the study period – 42% more than during the previous 12-month period, ReliaQuest reported. Notably, the Play ransomware group listed 10 victims in the utilities sector between November 2023 and October 2024, compared with only three listed during the previous 12 months, representing a 233% increase in successful attacks.
Overall, Play claimed the second largest number of utilities victims among ransomware groups, with LockBit claiming the most, followed by the now-defunct ALPHV/BlackCat group, Akira and 8base as the top five ransomware threats to utilities during the study period. Utilities also saw a disproportional number of attacks by these top five groups compared to other industries, ReliaQuest reported.
This increase in attacks could be due to a general increase in ransomware-as-a-service (RaaS) operations and ransomware attacks across industries but could also to an increasing adoption of industrial IoT systems that may not be regularly updated, leaving more vulnerabilities open to exploit, ReliaQuest stated.
The company also said Play in particular may be seeking to take advantage of the shifting RaaS landscape by targeting more high-profile critical infrastructure organizations to attract affiliates from ALPHV/BlackCat and the weakening LockBit operation.
How utilities organizations can prepare for 2025 threat landscape
The ReliaQuest report offers several recommendations for utilities organizations to mitigate rising threats, including recommendations to utilize automated systems to speed up incident response and increasing employee awareness about phishing and spearphishing attacks.
Advanced email security systems that are especially equipped to detect and disrupt phishing can prevent employees from being exposed to social engineering schemes that are overwhelmingly used to gain access to utilities’ OT systems, which can ultimately lead to infiltration of IT environments.
Isolating systems to prevent lateral movement, ensuring proper configuration of firewalls, monitoring network traffic for anomalies and disconnecting unnecessary internet-exposed systems are also measures that can decrease an organization’s attack surface and contain the impact of an intrusion.
Investigations of dark web forums showed how threat actors search for internet-exposed IoT and industrial control systems (ICS), demonstrating the importance of understanding one’s own attack surface and cutting off unneeded internet access from potentially vulnerable OT systems.
Utilities organizations should also be aware of the threat groups targeting critical infrastructure sectors and their tactics, including ransomware and adversarial nation-state groups. For example, organizations can defend against attacks by Play by using Group Policy Objects (GPOs) to restrict remote-access tools commonly used by the group, including RDP, SystemBC, and PSexec, ReliaQuest noted.
The China-linked threat group Volt Typhoon also commonly targets utilities, often utilizing spearphishing and vulnerabilities in unpatched network devices like routers to gain initial access. With the upcoming presidency of Donald Trump likely to increase tensions between the United States and adversaries like China and Iran, critical infrastructure organizations, including utilities, will need to be more vigilant and harden their systems against future attacks, ReliaQuest concluded.
